- Patch #638070 by carlos8f, Gábor Hojtsy, ksenzee, pwolanin, chx, catch: router loaders causing a lot of database hits for access checks.

1 files changed, 60 insertions, 15 deletions

diff --git a/modules/user/user.module b/modules/user/user.module
index e91e40f9b..ee9e5287f 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -1347,16 +1347,32 @@ function user_register_access() {
   return user_is_anonymous() && variable_get('user_register', 1);
 }
 
+
+/**
+ * User view access callback.
+ *
+ * @param $account
+ *   Can either be a full user object or a $uid.
+ */
 function user_view_access($account) {
-  return $account && $account->uid &&
-    (
-      // Always let users view their own profile.
-      ($GLOBALS['user']->uid == $account->uid) ||
-      // Administrators can view all accounts.
-      user_access('administer users') ||
-      // The user is not blocked and logged in at least once.
-      ($account->access && $account->status && user_access('access user profiles'))
-    );
+
+  $uid = is_object($account) ? $account->uid : (int) $account;
+
+  // Never allow access to view the anonymous user account.
+  if ($uid) {
+    // Admins can view all, users can view own profiles at all times.
+    if ($GLOBALS['user']->uid == $uid || user_access('administer users')) {
+      return TRUE;
+    }
+    elseif (user_access('access user profiles')) {
+      // At this point, load the complete account object.
+      if (!is_object($account)) {
+        $account = user_load($uid);
+      }
+      return (is_object($account) && $account->access && $account->status);
+    }
+  }
+  return FALSE;
 }
 
 /**
@@ -1520,17 +1536,18 @@ function user_menu() {
     'weight' => -8,
   );
 
-  $items['user/%user_uid_optional'] = array(
+  // Use %user_uid_only_optional here to avoid loading the full user for
+  // basic access checks.
+  $items['user/%user_uid_only_optional'] = array(
     'title' => 'My account',
     'title callback' => 'user_page_title',
     'title arguments' => array(1),
-    'page callback' => 'user_view',
+    'page callback' => 'user_view_page',
     'page arguments' => array(1),
     'access callback' => 'user_view_access',
     'access arguments' => array(1),
     'weight' => -10,
     'menu_name' => 'user-menu',
-    'file' => 'user.pages.inc',
   );
 
   $items['user/%user/view'] = array(
@@ -1616,6 +1633,7 @@ function user_init() {
  *   cannot be loaded.
  *
  * @see user_load()
+ * @todo rethink the naming of this in Drupal 8.
  */
 function user_uid_optional_load($uid = NULL) {
   if (!isset($uid)) {
@@ -1663,7 +1681,9 @@ function user_category_load($uid, &$map, $index) {
 }
 
 /**
- * Returns the user id of the currently logged in user.
+ * Returns $arg or the user ID of the current user if $arg is '%' or empty.
+ *
+ * @todo rethink the naming of this in Drupal 8.
  */
 function user_uid_optional_to_arg($arg) {
   // Give back the current user uid when called from eg. tracker, aka.
@@ -1673,10 +1693,25 @@ function user_uid_optional_to_arg($arg) {
 }
 
 /**
+ * Returns $arg or the user ID of the current user if $arg is '%' or empty.
+ *
+ * @todo rethink the naming of this in Drupal 8.
+ */
+function user_uid_only_optional_to_arg($arg) {
+  return user_uid_optional_to_arg($arg);
+}
+
+/**
  * Menu item title callback - use the user name.
  */
-function user_page_title($account) {
-  return format_username($account);
+function user_page_title($uid) {
+  if ($GLOBALS['user']->uid == $uid) {
+    $account = $GLOBALS['user'];
+  }
+  else {
+    $account = user_load($uid);
+  }
+  return is_object($account) ? format_username($account) : '';
 }
 
 /**
@@ -2108,6 +2143,16 @@ function _user_cancel($edit, $account, $method) {
 }
 
 /**
+ * Page callback wrapper for user_view().
+ */
+function user_view_page($uid) {
+  // An administrator may try to view a non-existent account,
+  // so we give them a 404 (versus a 403 for non-admins).
+  $account = user_load($uid);
+  return is_object($account) ? user_view($account) : MENU_NOT_FOUND;
+}
+
+/**
  * Generate an array for rendering the given user.
  *
  * When viewing a user profile, the $page array contains: